Security Corner

A friend of mine recently had to inform his staff of a new password policy requiring all of the following: Upper and lower case letters, a number, a special character, at least 12 characters in length and had not been used in the last six months. Someone sent him this meme in reply:

It’s that special day again: Halloween! And this is once again my Happy Halloween message to you. This year, I have chosen a different presentation for you.

IMHO, no writer in history embodies the essence of Halloween more than Edgar Allen Poe whom I consider the creator of the horror genre (yes, I know he’s credited as the creator of detective-fiction and contributor to the science fiction genre but he dealt more in the macabre than anything else).

Poe’s short story, “The Gold Bug,” is what got me interested in ciphers and encryption as a young boy; a collection of his most popular short stories is what inspired me to become a writer.

So, on this Halloween 2015 I present a very special reading of Poe’s famous short story, “The Tell-Tale Heart.” Enjoy!

We security types love to blame simple, easy-to-guess passwords for all our problems. We come up with ways for people to generate complex, hard-to-guess passwords that are yet easy to remember. We educate, we cajole, sometimes we shout. We chant our mantra: “Long, complex…long, complex…” Many of us don’t even consider that there could be an even bigger problem; in fact, the biggest password problem isn’t the use of weak passwords. It’s the REUSE of ANY password. We should be preaching against the sin of password reuse more than the sin of weak passwords.

According to security researcher Graham Cluley,

…everyone should run a strict “one password, one website” policy. Reusing passwords is playing Russian roulette with your online identity and (potentially) your finances. It’s very common for hackers who have stolen data from one site to then see if they can unlock accounts on other websites using the same credentials.

And you know what? More times than not, it works.

Internet users need to learn that the biggest password problem is not actually dumb, guessable passwords. The biggest password problem is reuse.

I wholeheartedly agree!

Now go and have a great H@110W33n weekend. And don’t forget to turn back your clocks.

Gosh, I’ve been busier than a centipede on a tightwire and now this. The big news last week is that LastPass was purchased by LogMeIn. LastPass is the #1 rated password manager that I have used for years. This caused quite a stir with many of its users, given LogMeIn’s not-favorable reputation after removing free account support from products in 2014 and starting to cross-sell products to increase revenue.

Thanks to an interview with LastPass’s CEO and Founder, Joe Siegrist, by Steve Gibson and Leo LaPorte of Security Now, some of the misgivings may have been allayed. You can watch the 20-minute interview below.

I, for one, plan to continue to use LastPass as a premium subscriber. I trust them for their security and transparency and it will take a pretty substantial change in the way they do things to make me consider changing. Should you keep using LastPass? You be the judge.

During a recent rash of malware infections on students’ laptops, most of which were probably drive-bys or served by frames in otherwise innocuous pages, I remembered a solution that had once served me well: A HOSTS file. As you know, a HOSTS file is a text file on your computer that is used to map host names to IP addresses, but did you know that this was the precursor to DNS? Back in the ARPANET days, this file was manually updated as new hosts came on line or their addresses changed. The file was shared with the members of the network so they could all communicate. DNS made sharing and updating host addresses automatic and relegated the HOSTS file to use mostly on local networks.

While the file isn’t broadly used on most networks these days, it remains an integral part of the networking stack on all operating systems. It is the first thing that is checked prior to routing traffic and usually takes precedence over DNS. This makes it very useful for blocking access to unwanted web sites or servers. All you have to do is make an entry in HOSTS.TXT that points the web site or server address to the local machine address, 127.0.0.1. The good folks over at MVPS.org for years have been maintaining a hosts file that does just that. It contains thousands of malicious, useless, or unwanted websites.

I’m going to try using this again on some student laptops and see if it helps. I’ll let you know. In the meantime, you can read all about it and download the file for yourself here.

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

But how do you prevent users from using common passwords? Simple: Blacklist the most common passwords (I’ll be writing about this later). I would include code to check to see if user name or company name or other common strategies are used and refuse to accept them.

I won’t elaborate further; you can read the document and glean from it what you will. However, here is the list of tips. A couple of them offer a different view. It’s definitely worth your time to download and read this whole thing.

In these days of of high profile data breaches, it behooves us to take another look (or two) at passwords. Computing power has increased at phenomenal rates over the years making it (relatively) straightforward to defeat short and simple passwords with common, freely available hacking tools. If you want to explore the exponential increase in computing power further, this Wikipedia article on Moore’s Law is quite enlightening. Here’s an interesting comparison:

[Illustration] An Osborne Executive portable computer, from 1982, with a Zilog Z80 4 MHz CPU, and a 2007 AppleiPhone with a 412 MHz ARM11 CPU; the Executive weighs 100 times as much, has nearly 500 times the volume, costs approximately 10 times as much (adjusted for inflation), and has about 1/100th the clock frequency of the smartphone.

In March, 2014, I posted “Oh no! Not another password post!” In that post, I recommended 12 characters for a minimum length and said that 15 characters is even better. I still stand by those numbers at this date; however, I did not address password complexity in that post. Length means nothing if the password is either one that is commonly used–such as those on this list–or is a dictionary word or common phrase. “LetMeIn” and “antidisestablishmentarianism” are equally useless. Even “TippecanoeandTylerToo,” though seemingly complex, would be easily cracked as it’s a common phrase from American history.

Complexity connotes intricacy: The more intricate the pattern of a maze, for instance, the more complex its solution. Intricacy connotes quantity: The more parts the there are to a machine, the more intricate its design. Therefore, we make passwords more complex by using more parts in their creation. This is simply illustrated by comparison. “Password” is eight characters long and uses only letters; “P12@#or9” is also eight characters long but uses letters, numerals and special characters. The latter is the more complex.

So, how long is long enough; how complex is complex enough? A password that is 12 to 15 characters long, is not a common word or phrase, is a mixture of upper and lower case letters, uses special characters and some numerals, should be good for most situations.

Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals.

While it used to be that only desktops and laptops were affected, now mobile phones are being targeted. According to Wired, last week news broke about “The so-called Porn Droid app that targets Android users and allows attackers to lock the phone and change its PIN number while demanding a $500 ransom from victims to regain access.” Read the article here.

It’s a very lucrative business. Last year victims paid an estimated $27 million to the crooks according to the FBI.

The best protection against becoming a victim of ransomware is to have a good antivirus and keep it updated along with making regular backups of your data that are stored on an offline device.

An interesting conversation with our interim campus president at the college today brought back to mind a post from more than five years ago. A server crash this morning made her wonder if a former network administrator, who did not leave on good terms, still somehow had a hand in the incident. Apparently, this fellow had succeeded in planting a logic bomb in the network timed to go off on the date of each new term start. Today was a new term start; today the server crashed. Our president’s logic said that “[name withheld] was up to his old tricks.” It wasn’t that, fortunately. The power supply died.

What was revealing about that conversation is that management at the time failed to consider an internal threat. No doubt the other faux pas were also committed. I saw evidence of them when I first took on the role of network administrator and have since corrected things. So, here’s a reminder of how NOT to do things.

Here are my Top Five Security Faux Pas beginning with number five:

5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.

4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.

3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?

2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.

1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…

Not to sing my own praises, but to sing my own praises, they picked the right guy when they picked me; there have been no major security incidents since I took over.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.